🚀. Socket Launch Week Day 2:Introducing Manifest Alerts.Learn more
Sign In

logscale-mcp-server

Package Overview
Dependencies
Maintainers
1
Versions
3
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

logscale-mcp-server

MCP server for querying CrowdStrike LogScale logs

latest
Source
npmnpm
Version
0.1.8
Version published
Maintainers
1
Created
Source

LogScale MCP Server
Query CrowdStrike LogScale logs from AI assistants via the Model Context Protocol

Node.js ≥ 18 TypeScript 5.8 MCP SDK 1.12

Coverage 97% 67 Tests Passed Build Passing

ESLint Security Prettier CodeQL Trivy SBOM Gitleaks pnpm Audit Clean

FeaturesQuick StartToolsUsageQueriesSecurityCIArchitectureContributing

Introduction

LogScale MCP Server lets you query CrowdStrike LogScale logs through natural language in VS Code Copilot Chat, Claude Desktop, or any MCP-compatible client. Instead of writing raw CQL queries and managing API calls, just ask:

"Show me errors in the xxxx namespace from the last hour"

"Find all 500 errors from the xyxyxy pod today"

"Search logs for request ID f6796646b043d231bf67f589b7306e9b"

The server handles query submission, polling, result formatting, and pagination automatically.

Features

  • 2 MCP toolssearch_logs and get_query_job for comprehensive log querying
  • CrowdStrike Query Language (CQL) — full support for filters, pipes, aggregations, and field searches
  • Automatic poll loop — submits query jobs and polls with server-suggested intervals until completion
  • Smart result formatting — structured output with field statistics, event counts, and metadata
  • Configurable defaults — custom timeouts, pagination limits, poll intervals, and max events
  • Time range support — relative (1h, 7d) and absolute (epoch milliseconds) time ranges
  • VS Code Extension — bundled extension with built-in configuration UI for LogScale connection settings
  • Monorepo architecture — clean separation between server (logscale-mcp-server) and extension (logscale-mcp-vscode)

Quality & Security

AreaDetails
Test Coverage97% statements · 91% branches · 95% functions — 67 tests across 6 suites
Type SafetyStrict TypeScript with noEmit type checking on every CI run
LintingESLint with eslint-plugin-security for vulnerability pattern detection
FormattingPrettier-enforced code style across all source and test files
Static AnalysisGitHub CodeQL with security-extended query suite
Dependency Auditpnpm audit at moderate+ severity — zero known vulnerabilities
SBOM & CVE ScanTrivy filesystem scan for CRITICAL and HIGH severity vulnerabilities
Secret ScanningGitleaks in CI + pre-commit hook for local secret detection
Dependency ReviewPR-level review blocking moderate+ severity and GPL-3.0/AGPL-3.0 licenses
Commit StandardsConventional Commits enforced via commitlint
Multi-Node TestingCI tests on Node.js 18, 20, and 22

Quick Start

Prerequisites

  • Node.js ≥ 18
  • pnpm (recommended) or npm
  • A LogScale instance with API access and a Bearer token

Install from npm

# Install globally
npm install -g logscale-mcp-server

# Or run directly with npx
npx logscale-mcp-server

Install from Source

git clone https://github.com/bhayanak/logscale-mcp-server.git
cd logscale-mcp-server
pnpm install
pnpm -r build

Configuration

VariableRequiredDescription
LOGSCALE_BASE_URLYesLogScale instance URL (include path prefix like /logs if needed)
LOGSCALE_API_TOKENYesBearer token for authentication
LOGSCALE_REPOSITORYNoDefault repository name
LOGSCALE_TIMEOUT_MSNoMax poll timeout (default: 60000)
LOGSCALE_POLL_INTERVAL_MSNoPoll interval (default: 1000)
LOGSCALE_MAX_EVENTSNoDefault pagination limit (default: 200)

Tools

search_logs

Submit a CQL query, wait for results, and return formatted log events.

ParameterTypeRequiredDescription
queryStringstringYesCQL query string
startstring/numberNoStart time — relative ("1h", "7d") or epoch ms
endstring/numberNoEnd time — "now" or epoch ms
repositorystringNoTarget repository (overrides default)
maxEventsnumberNoMax events to return (default: 200, max: 500)

get_query_job

Check status or retrieve results of an existing query job.

ParameterTypeRequiredDescription
jobIdstringYesQuery job ID from a previous search_logs call
repositorystringNoRepository the job was submitted to
maxEventsnumberNoMax events to return

Usage

VS Code (MCP)

Add to .vscode/mcp.json:

{
  "servers": {
    "logscale": {
      "command": "npx",
      "args": ["-y", "logscale-mcp-server"],
      "env": {
        "LOGSCALE_BASE_URL": "https://your-logscale-instance.com",
        "LOGSCALE_API_TOKEN": "your-api-token",
        "LOGSCALE_REPOSITORY": "your-repository"
      }
    }
  }
}

Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "logscale": {
      "command": "npx",
      "args": ["-y", "logscale-mcp-server"],
      "env": {
        "LOGSCALE_BASE_URL": "https://your-logscale-instance.com",
        "LOGSCALE_API_TOKEN": "your-api-token",
        "LOGSCALE_REPOSITORY": "your-repository"
      }
    }
  }
}

CQL Query Examples

# Simple namespace filter
"kubernetes.namespace_name" = "your-namespace"

# Filter by namespace AND app label
"kubernetes.namespace_name" = "your-namespace"
| "kubernetes.labels.app_kubernetes_io/instance" = "your-instance-name"

# Search for errors in a namespace
kubernetes.namespace_name = "your-namespace" | ERROR

# Chain multiple filters
kubernetes.namespace_name = "your-namespace"
| 81bd572b6f202eccb9538408cb764c89
| "Pod Network CIDR is not provided"

# Aggregations
ERROR | groupBy(kubernetes.pod_name, function=count())
ERROR | top(log, limit=10)
ERROR | timechart(span=5m)

Time Ranges

FormatExampleDescription
Relative"1h", "24h", "7d", "30m"Lookback from now
Absolute1773599400000Epoch milliseconds
End"now" or epoch msEnd of time window

Architecture

AI Client (VS Code Copilot, Claude Desktop)
    ↕  MCP (stdio transport)
LogScale MCP Server (TypeScript / Node.js)
    ↕  HTTPS (REST API)
CrowdStrike LogScale (Query Jobs API)

The server uses LogScale's 2-step Query Jobs API:

  • SubmitPOST /api/v1/repositories/{repo}/queryjobs → returns job ID
  • PollGET /api/v1/repositories/{repo}/queryjobs/{id} → poll until done, return results

Troubleshooting

"Unexpected token '<'" / HTML response error

The LOGSCALE_BASE_URL is likely incorrect. Many LogScale deployments serve the API under a path prefix (e.g., /logs). Check the URL in your browser's network tab — if API calls go to https://host/logs/api/v1/..., set:

LOGSCALE_BASE_URL=https://your-host/logs

Authentication failures (401/403)

Verify your LOGSCALE_API_TOKEN is valid and has read permission on the target repository.

Repository not found (404)

Check the LOGSCALE_REPOSITORY name matches exactly (case-sensitive).

License

MIT

Keywords

mcp
logscale
crowdstrike
cql
logs
ai

FAQs

Package last updated on 19 May 2026

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Introducing Manifest Alerts

Product

Introducing Manifest Alerts

Socket now detects supply chain risks in project manifests, starting with missing lockfiles that can make dependency installs non-reproducible.

By André Staltz, Trevor Norris  -  Jun 16, 2026
GlassWASM: WebAssembly Malware Found in Trojanized Open VSX Extensions

Research

/

Security News

GlassWASM: WebAssembly Malware Found in Trojanized Open VSX Extensions

The trojanized extensions use TinyGo-compiled WebAssembly and Solana transaction memos to resolve command-and-control infrastructure.

By Joseph Edwards  -  Jun 15, 2026